An Information Security Analyst’s Take on CISPA

I often get asked what I do for a living, which has proven next to impossible to explain. Most of the time it goes something like “I protect my company from people like Wikileaks” — which is both correct, and wholly inaccurate. I work in information security for a major financial services company, which means that my primary job is to protect our clients’ data, money, and privacy. As a financial institution, our business is based around a pretty simple concept: trust. If we can’t protect their money, ensure the safety of their information, or keep our systems online and available for them to use, they will move to someone who will.

This all presents some interesting situations, especially as lawmakers try to legislate in our arena. It’s always interesting to hear what people who have no idea about cyber security think we should be doing to keep our companies, and country, safe. You may have noticed that there is a bill that keeps popping up in conversation over the past year called the Cyber Intelligence Sharing and Protection Act, or CISPA. On the surface, it seems like a very logical solution. As a country, we see attacks happening all over the place and it makes sense that a concerted government response would mitigate some of the risks, but let’s discuss cyber security a little more before we make our minds up.

We all have seen the denial of service attacks that have hit major banks around the country. Denial of service attacks can be a part of what we call zero-day attacks. This means that they take advantage of a vulnerability that was previously unknown, such that the attack is day zero of awareness. Other forms of zero day attacks would be worms, viruses, Trojans, and other forms of malware. There is a side that argues that if we have better information sharing, the window for zero day attacks shrinks due to more eyes on the code and quicker identification of vulnerabilities. This is very true, but it doesn’t cover situations where companies have privately developed code which isn’t shared outside of the company.

There are many different threats to our private companies, as well as our government. There are nation states that actively sponsor cyber-attacks, such as China. When hackers benefit from backing from foreign governments, it can be very hard to compete and stay safe. Hacking is also sold as a service. Do you think its expensive to hire a hacker? Think again. Here is a price list from late 2012:

I won’t get into what each one does, but the point is that it is much more expensive to secure ourselves than it is for someone to hire a Russian hacking network to hack a corporate mailbox. And don’t make the mistake of thinking that these people are amateurs; they are good at what they do. As the Wall Street Journal recently reported, a Russian network is believed to be responsible for an assault on a major European agency that fights spam, which brought down internet speeds worldwide.

Want another example of what we are dealing with? From Spiegel.de: “In August 2005, hackers, presumably from Eastern Europe, demanded that German online gambling site Fluxx pay them €40,000 in the form of a Western Union wire transfer, in return for their stopping DDoS attacks on the company. The Germans refused to pay. British and other online casinos and gambling sites were not as resolute — they paid a total of $4 million in ransom money to a gang of Russian hackers.”

Now let’s talk about what we do to protect ourselves. We already work with each other. I don’t know of any major company that isn’t part of some sort of information sharing group between private companies. There are things like the Financial Services Information Security and Analysis Center or FS-ISAC, which top financial services utilize to keep each other aware of trends and threat levels in the financial sector. By staying alert to what we see, we protect each other. There are many other examples of things like this, but the key point is that the data is shared without threatening personal privacy. If any data is shared, its scrubbed of all PII, which is anything which could identify you, such as: user IDs, names, addresses, phone numbers, etc. We also focus entirely on cyber security.

Top companies also have huge information security departments, and if they don’t they are rapidly building them. The demand for security professionals has skyrocketed in the last few years, and looks like it will continue to for a while.

It is vitally important that companies work diligently to identify vulnerabilities in code before they ever go out the door, and most companies have things like software development life-cycle programs to find problems before going into production. There are also vulnerability scanning tools that allow us to scan out networks and try to stay ahead of external malicious actors.

The key to me is that we all work together to share strategies: share coding practices that are most secure, share information on how attackers are getting in, share ideas on how security can be better. Keep the focus on cyber security, not national defense.

The problem with measures such as CISPA is that they don’t have the same focus. CISPA allows the sharing of data to investigate crimes that have nothing to do with cyber threats, and could be utilized as some sort of willy nilly digital wiretap. Data doesn’t have to be “cleansed” of personal information, and it also gives immunity to private companies so that they can’t be sued for negligence or mishandling consumers’ data.

How would that impact businesses in the US? The biggest impact I see is that Europe already has much more stringent privacy laws, so if CISPA were enacted I would be seriously concerned about how our companies operated around the world. There would at the very least have to be a segregation of data so that European data didn’t get drawn into the CISPA regulations, or worse, it would drive our companies out of Europe and force us to exclusively use subsidiaries to do business abroad, which would eat at profits and kill our ability to be competitive.

I have been secretly hoping that our country would move in the direction of unifying with Europe with our privacy laws, but it looks like we are going the other way. Is that any surprise given how enthusiastically we jumped at things such as the PATRIOT Act?

Guest columnist Matthew Martin is a Sr. Information Security Analyst who works with Fortune 100 financial institutions. He holds an MS from Valparaiso University, and is finishing his MBA at the University of North Carolina at Charlotte. His specialities are information security metrics, governance, and risk decision modeling. When he isn’t covered in data, Matthew is covered in diapers and formula while chasing around his 9 month old triplets.

If you’re curious about where CISPA allows private companies to share your private data, here is a list*:

Agencies within the Executive Office of the President:

Council of Economic Advisers
Council on Environmental Quality
Domestic Policy Council
National Economic Council
National Security Council
Office of Administration
Office of Faith-Based and Neighborhood Partnerships
Office of Management and Budget
Office of National AIDS Policy
Office of National Drug Control Policy
Office of Intergovernmental Affairs and Public Engagement
Office of Science and Technology Policy
Office of the President
Office of the First Lady
Office of the First Children
Office of the Vice President
Office of the Second Lady
Office of the Second Children
President’s Economic Recovery Advisory Board
President’s Intelligence Oversight Board
President’s Intelligence Advisory Board
United States Trade Representative
White House Office
White House Military Office

Agencies within the Department of Agriculture:

Agricultural Marketing Service
Agricultural Research Service
Animal and Plant Health Inspection Service
Center for Nutrition Policy and Promotion
Economic Research Service
Farm Service Agency
Commodity Credit Corporation
Food and Nutrition Service
Food Safety and Inspection Service
Foreign Agricultural Service
Forest Service
Grain Inspection, Packers and Stockyards Administration
Marketing and Regulatory Programs
National Agricultural Statistics Service
National Institute of Food and Agriculture
4-H
Natural Resources Conservation Service
Risk Management Agency
Federal Crop Insurance Corporation
Rural Business and Cooperative Programs
Office of Rural Development
Research, Education and Economics
Rural Housing Service
Rural Utilities Service

Agencies within the Department of Commerce:

Census Bureau
Bureau of Economic Analysis
Bureau of Industry and Security
Economic Development Administration
Economics and Statistics Administration
Export Enforcement
Import Administration
International Trade Administration
Office of Travel and Tourism Industries
Invest in America
Manufacturing and Services
Marine and Aviation Operations
Market Access and Compliance
Minority Business Development Agency
National Oceanic and Atmospheric Administration
NOAA Commissioned Corps
National Environmental Satellite, Data, and Information Service
National Marine Fisheries Service
National Oceanic Service
National Weather Service
National Telecommunications and Information Administration
Patent and Trademark Office
National Institute of Standards and Technology
National Technical Information Service
Trade Promotion and the U.S. And Foreign Commercial Service

Federal Student Aid
Institute of Education Sciences
National Center for Education Statistics
National Center for Education Evaluation and Regional Assistance
Education Resources Information Center
National Center for Education Research
National Center for Special Education Research
National Assessment Governing Board
National Assessment of Educational Progress
Office for Civil Rights
Office of Elementary and Secondary Education
Office of Safe and Healthy Students
Office of Postsecondary Education
Office of Special Education and Rehabilitative Services
National Institute on Disability and Rehabilitation Research
Office of Special Education Programs
Rehabilitation Services Administration
Special institutions
American Printing House for the Blind
National Technical Institute for the Deaf
Gallaudet University
Office of Vocational and Adult Education

Agencies within the Department of Energy:

Energy Information Administration
Federal Energy Regulatory Commission
National Laboratories & Technology Centers
University Corporation for Atmospheric Research
National Nuclear Security Administration
Power Marketing Administrations:
Bonneville Power Administration
Southeastern Power Administration
Southwestern Power Administration
Western Area Power Administration

Agencies within the Department of Health and Human Services:

Administration on Aging
Administration for Children and Families
Administration for Children, Youth and Families
Agency for Healthcare Research and Quality
Centers for Disease Control and Prevention
National Institute for Occupational Safety and Health
Epidemic Intelligence Service
National Center for Health Statistics
Centers for Medicare and Medicaid Services
Food and Drug Administration
Reagan-Udall Foundation
Health Resources and Services Administration
Patient Affordable Healthcare Care Act Program {to be implemented fully in 2014}
Independent Payment Advisory Board
Indian Health Service
National Institutes of Health
National Health Intelligence Service
Public Health Service
Federal Occupational Health
Office of the Surgeon General
United States Public Health Service Commissioned Corps
Substance Abuse and Mental Health Services Administration

Within the Department of Homeland Security

Agencies

Federal Emergency Management Agency

FEMA Corps
U.S. Fire Administration
National Flood Insurance Program
Federal Law Enforcement Training Center
Transportation Security Administration
United States Citizenship and Immigration Services
United States Coast Guard (Transfers to Department of Defense during declared war or national emergency)
Coast Guard Intelligence
National Ice Center
United States Ice Patrol
United States Customs and Border Protection
Office of Air and Marine
Office of Border Patrol
U.S. Border Patrol
Border Patrol Intelligence
Office of Field Operations
United States Immigration and Customs Enforcement
United States Secret Service
Secret Service Intelligence Service

Offices

Domestic Nuclear Detection Office
Office of Health Affairs
Office of Component Services
Office of International Affairs and Global Health Security
Office of Medical Readiness
Office of Weapons of Mass Destruction and Biodefense
Office of Intelligence and Analysis
Office of Operations Coordination
Office of Policy
Homeland Security Advisory Council
Office of International Affairs
Office of Immigration Statistics
Office of Policy Development
Office for State and Local Law Enforcement
Office of Strategic Plans
Private Sector Office

Management

Directorate for Management

National Protection and Programs

National Protection and Programs Directorate
Federal Protective Service
Office of Cybersecurity and Communications
National Communications System
National Cyber Security Division
United States Computer Emergency Readiness Team
Office of Emergency Communications
Office of Infrastructure Protection
Office of Risk Management and Analysis
United States Visitor and Immigrant Status Indicator Technology (US-VISIT)

Center for Faith-Based and Neighborhood Partnerships (HUD)
Departmental Enforcement Center
Office of Community Planning and Development
Office of Congressional and Intergovernmental Relations
Office of Equal Employment Opportunity
Office of Fair Housing and Equal Opportunity
Office of Field Policy and Management
Office of the General Counsel
Office of Healthy Homes and Lead Hazard Control
Office of Hearings and Appeals
Office of Labor Relations
Office of Policy Development and Research
Office of Public Affairs
Office of Public and Indian Housing
Office of Small and Disadvantaged Business Utilization
Office of Sustainable Housing and Communities

Corporation

Government National Mortgage Association (Ginnie Mae)

Within the Department of the Interior

Agencies:

Bureau of Indian Affairs
Bureau of Land Management
Bureau of Reclamation
Fish and Wildlife Service
Bureau of Ocean Energy Management (formerly Minerals Management Service)
Bureau of Safety and Environmental Enforcement (formerly Minerals Management Service)
National Park Service
Office of Insular Affairs
Office of Surface Mining
National Mine Map Repository
United States Geological Survey

Within the Department of Justice

Agencies:

Antitrust Division
Asset Forfeiture Program
Bureau of Alcohol, Tobacco, Firearms and Explosives
Civil Division
Civil Rights Division
Community Oriented Policing Services
Community Relations Service
Criminal Division
Diversion Control Program
Drug Enforcement Administration
Environment and Natural Resources Division
Executive Office for Immigration Review
Executive Office for Organized Crime Drug Enforcement Task Forces
Executive Office for United States Attorneys
Executive Office for United States Trustees
Federal Bureau of Investigation
Federal Bureau of Prisons
UNICOR
Foreign Claims Settlement Commission
INTERPOL – United States National Central Bureau
Justice Management Division
National Crime Information Center
National Drug Intelligence Center
National Institute of Corrections
National Security Division
Office of the Associate Attorney General
Office of the Attorney General
Office of Attorney Recruitment and Management
Office of the Chief Information Officer
Office of the Deputy Attorney General
Office of Dispute Resolution
Office of the Federal Detention Trustee
Office of Information Policy
Office of Intergovernmental and Public Liaison
Office of Intelligence and Analysis
Office of Justice Programs
Bureau of Justice Assistance
Bureau of Justice Statistics
Community Capacity Development Office
National Criminal Justice Reference Service
National Institute of Justice
Office of Juvenile Justice and Delinquency Prevention
Office for Victims of Crime
Office of Legal Counsel
Office of Legal Policy
Office of Legislative Affairs
Office of the Pardon Attorney
Office of Privacy and Civil Liberties
Office of Professional Responsibility
Office of Public Affairs
Office of Sex Offender Sentencing, Monitoring, Apprehending, Registering and Tracking
Office of the Solicitor General
Office of Special Counsel
Office of Tribal Justice
Office on Violence Against Women
Professional Responsibility Advisory Office
Tax Division
United States Attorneys
United States Marshals
United States Parole Commission
United States Trustee Program

Office of Administrative Law Judges
Office of the Assistant Secretary for Administration and Management
Office of the Assistant Secretary for Policy
Office of the Chief Financial Officer
Office of the Chief Information Officer
Office of Congressional and Intergovernmental Affairs
Office of Disability Employment Policy
Office of Federal Contract Compliance Programs
Office of Labor-Management Standards
Office of the Solicitor
Office of Worker’s Compensation Program
Ombudsman for the Energy Employees Occupational Illness Compensation Program

Within the Department of State

Agencies and Bureaus

National Council for the Traditional Arts

Reporting to the Secretary

Bureau of Intelligence and Research
Bureau of Legislative Affairs
Office of the Legal Adviser

Reporting to the Deputy Secretary for Management and Resources

Executive Secretariat
Office of the Chief of Protocol
Office for Civil Rights
Office of the Coordinator for Counterterrorism
Office of the United States Global AIDS Coordinator
Office of Global Criminal Justice
Policy Planning Staff

Reporting to the Under Secretary for Arms Control and International Security

Bureau of International Security and Nonproliferation
Bureau of Political-Military Affairs
Bureau of Arms Control, Verification and Compliance

Reporting to the Under Secretary for Democracy and Global Affairs

Bureau of Democracy, Human Rights, and Labor
Bureau of Oceans and International Environmental and Scientific Affairs
Bureau of Population, Refugees, and Migration
Office to Monitor and Combat Trafficking in Persons

Reporting to the Under Secretary for Economic, Energy and Agricultural Affairs

Bureau of African Affairs
Bureau of East Asian and Pacific Affairs
Bureau of European and Eurasian Affairs
Bureau for International Narcotics and Law Enforcement Affairs
Bureau of International Organization Affairs
Bureau of Near Eastern Affairs
Bureau of South and Central Asian Affairs
Bureau of Western Hemisphere Affairs

Reporting to the Under Secretary for Public Diplomacy and Public Affairs

Bureau of Educational and Cultural Affairs
Bureau of International Information Programs
Bureau of Public Affairs
Office of the Historian
Office of Policy, Planning and Resources for Public Diplomacy and Public Affairs

Permanent Diplomatic Missions

United States Mission to the African Union
United States Mission to ASEAN
United States mission to the Arab League
United States mission to the Council of Europe (and to all other European Agencies)
United States Mission to International Organizations in Vienna
United States Mission to the European Union
United States Mission to the International Civil Aviation Organization
United States Mission to the North Atlantic Treaty Organization
United States Mission to the Organisation for Economic Co-operation and Development
United States Mission to the Organization of American States
United States Mission to the Organization for Security and Cooperation in Europe
United States Mission to the United Nations
United States Mission to the UN Agencies in Rome
United States Mission to the United Nations Office and Other International Organizations in Geneva
United States Observer Mission to the United Nations Educational, Scientific, and Cultural Organization
United States Permanent Mission to the United Nations Environment Program and the United Nations Human Settlements Programme

Alcohol and Tobacco Tax and Trade Bureau
Bureau of Engraving and Printing
Bureau of the Public Debt
Community Development Financial Institutions Fund
Federal Consulting Group
Financial Crimes Enforcement Network
Financial Management Service
Internal Revenue Service
Office of the Comptroller of the Currency
Office of Thrift Supervision
Office of Financial Stability
United States Mint

Offices

Office of Domestic Finance
Office of Economic Policy
Office of International Affairs
Office of Tax Policy
Office of Terrorism and Financial Intelligence
Treasurer of the United States